package com.floragunn.searchguard.ssl.transport;

import com.floragunn.searchguard.ssl.SearchGuardKeyStore;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import java.net.InetSocketAddress;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.Version;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.netty.NettyTransport;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.ChannelPipelineFactory;
import org.jboss.netty.channel.ChannelStateEvent;
import org.jboss.netty.channel.ExceptionEvent;
import org.jboss.netty.channel.SimpleChannelHandler;
import org.jboss.netty.handler.ssl.NotSslRecordException;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport.class */
public class SearchGuardSSLNettyTransport extends NettyTransport {
    private final SearchGuardKeyStore sgks;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$ClientSSLHandler.class */
    protected static class ClientSSLHandler extends SimpleChannelHandler {
        private final ESLogger log;
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;
        private final SearchGuardKeyStore sgks;

        private ClientSSLHandler(SearchGuardKeyStore searchGuardKeyStore, boolean z, boolean z2) {
            this.log = Loggers.getLogger(getClass());
            this.sgks = searchGuardKeyStore;
            this.hostnameVerificationEnabled = z;
            this.hostnameVerificationResovleHostName = z2;
        }

        public void exceptionCaught(ChannelHandlerContext channelHandlerContext, ExceptionEvent exceptionEvent) throws Exception {
            super.exceptionCaught(channelHandlerContext, exceptionEvent);
        }

        public void connectRequested(ChannelHandlerContext channelHandlerContext, ChannelStateEvent channelStateEvent) {
            SSLEngine createClientTransportSSLEngine;
            try {
                if (this.hostnameVerificationEnabled) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) channelStateEvent.getValue();
                    String hostName = this.hostnameVerificationResovleHostName ? inetSocketAddress.getHostName() : inetSocketAddress.getHostString();
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Hostname of peer is {} ({}/{}) with hostnameVerificationResovleHostName: {}", new Object[]{hostName, inetSocketAddress.getHostName(), inetSocketAddress.getHostString(), Boolean.valueOf(this.hostnameVerificationResovleHostName)});
                    }
                    createClientTransportSSLEngine = this.sgks.createClientTransportSSLEngine(hostName, inetSocketAddress.getPort());
                } else {
                    createClientTransportSSLEngine = this.sgks.createClientTransportSSLEngine(null, -1);
                }
                SslHandler sslHandler = new SslHandler(createClientTransportSSLEngine);
                sslHandler.setEnableRenegotiation(false);
                channelHandlerContext.getPipeline().replace(this, "ssl_client", sslHandler);
                channelHandlerContext.sendDownstream(channelStateEvent);
            } catch (SSLException e) {
                throw ExceptionsHelper.convertToElastic(e);
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$SSLClientChannelPipelineFactory.class */
    protected static class SSLClientChannelPipelineFactory extends NettyTransport.ClientChannelPipelineFactory {
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;
        private final ESLogger nettyLogger;
        private final SearchGuardKeyStore sgks;

        public SSLClientChannelPipelineFactory(NettyTransport nettyTransport, Settings settings, ESLogger eSLogger, SearchGuardKeyStore searchGuardKeyStore) {
            super(nettyTransport);
            this.sgks = searchGuardKeyStore;
            this.hostnameVerificationEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true).booleanValue();
            this.hostnameVerificationResovleHostName = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true).booleanValue();
            this.nettyLogger = eSLogger;
        }

        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            pipeline.addFirst("client_ssl_handler", new ClientSSLHandler(this.sgks, this.hostnameVerificationEnabled, this.hostnameVerificationResovleHostName));
            pipeline.replace("dispatcher", "dispatcher", new SearchGuardMessageChannelHandler(this.nettyTransport, this.nettyLogger));
            return pipeline;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$SSLServerChannelPipelineFactory.class */
    protected static class SSLServerChannelPipelineFactory extends NettyTransport.ServerChannelPipelineFactory {
        private final ESLogger nettyLogger;
        private final SearchGuardKeyStore sgks;

        public SSLServerChannelPipelineFactory(NettyTransport nettyTransport, String str, Settings settings, Settings settings2, ESLogger eSLogger, SearchGuardKeyStore searchGuardKeyStore) {
            super(nettyTransport, str, settings);
            this.sgks = searchGuardKeyStore;
            this.nettyLogger = eSLogger;
        }

        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            SslHandler sslHandler = new SslHandler(this.sgks.createServerTransportSSLEngine());
            sslHandler.setEnableRenegotiation(false);
            pipeline.addFirst("ssl_server", sslHandler);
            pipeline.replace("dispatcher", "dispatcher", new SearchGuardMessageChannelHandler(this.nettyTransport, this.nettyLogger));
            return pipeline;
        }
    }

    protected void exceptionCaught(ChannelHandlerContext channelHandlerContext, ExceptionEvent exceptionEvent) throws Exception {
        if (this.lifecycle.started()) {
            Throwable cause = exceptionEvent.getCause();
            if (cause instanceof NotSslRecordException) {
                this.logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", new Object[]{channelHandlerContext.getChannel().getRemoteAddress()});
                channelHandlerContext.getChannel().close();
                disconnectFromNodeChannel(channelHandlerContext.getChannel(), exceptionEvent.getCause());
                return;
            } else if (cause instanceof SSLException) {
                this.logger.error("SSL Problem " + cause.getMessage(), cause, new Object[0]);
                channelHandlerContext.getChannel().close();
                disconnectFromNodeChannel(channelHandlerContext.getChannel(), exceptionEvent.getCause());
                return;
            } else if (cause instanceof SSLHandshakeException) {
                this.logger.error("Problem during handshake " + cause.getMessage(), new Object[0]);
                channelHandlerContext.getChannel().close();
                disconnectFromNodeChannel(channelHandlerContext.getChannel(), exceptionEvent.getCause());
                return;
            }
        }
        super.exceptionCaught(channelHandlerContext, exceptionEvent);
    }

    @Inject
    public SearchGuardSSLNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, Version version, NamedWriteableRegistry namedWriteableRegistry, SearchGuardKeyStore searchGuardKeyStore) {
        super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry);
        this.sgks = searchGuardKeyStore;
    }

    public ChannelPipelineFactory configureClientChannelPipelineFactory() {
        this.logger.debug("Node client configured for SSL", new Object[0]);
        return new SSLClientChannelPipelineFactory(this, this.settings, this.logger, this.sgks);
    }

    public ChannelPipelineFactory configureServerChannelPipelineFactory(String str, Settings settings) {
        this.logger.debug("Node server configured for SSL", new Object[0]);
        return new SSLServerChannelPipelineFactory(this, str, settings, this.settings, this.logger, this.sgks);
    }
}
